[NTLUG:Discuss] routing concept
terry
trryhend at gmail.com
Sat Mar 1 20:33:20 CST 2008
On Sat, Mar 1, 2008 at 7:38 PM, terry <trryhend at gmail.com> wrote:
>
> On Sat, Mar 1, 2008 at 7:27 PM, terry <trryhend at gmail.com> wrote:
> >
> > On Sat, Mar 1, 2008 at 7:18 PM, terry <trryhend at gmail.com> wrote:
> > >
> > > On Sat, Mar 1, 2008 at 12:39 PM, Richard <ntlug at rain4us.net> wrote:
> > > >
> > > > On Fri, Feb 29, 2008 at 4:03 PM, Richard <ntlug at rain4us.net> wrote:
> > > > > > I'm struggling with a routing concept and I'm wondering what the
> > > > > > best way to implement this would be.
> > > > > >
> > > > > > I have an internet connection that has been assigned a SINGLE ip
> > > > > > address with a class C addreses. Then I have a /29 subnet being
> > > > > > routed TO that single ip address on the class C subnet.
> > > >
> > > > [best viewed with a non-proportional based font]
> > > >
> > > > ______
> > > > \ | |
> > > > I \4.2.2.1 4.2.2.3| |
> > > > S |--------------------| |eth1
> > > > P | eth0| |------
> > > > / | |
> > > > | |
> > > > hdlc0| |
> > > > To ISP#1<-----------|______|
> > > >
> > > >
> > > >
> > > > Let me see if I can explain this better. Let's say that I've been given
> > > > a real world IP address of 4.2.2.3 for a real world address with a gateway
> > > > of 4.2.2.1. Getting that bound is easy and works.
> > > >
> > > >
> > > > Now let's say that the ISP is routing 5.2.2.0/29 to me. (That leaves
> > > > me with the IP address range 5.2.2.0 - 5.2.2.7) Those ip addresses will
> > > > be routed THROUGH 4.2.2.3. This means that I am going to have to bind the
> > > > 5.2.2.0/29 subnet SOMEWHERE in the Linux box. Now If I just bind an IP
> > > > address like 5.2.2.1 as a secondary IP address on ETH0 (eth0:1), what am I
> > > > going to have to do to get the packets to route properly? I'm wondering
> > > > if I'll have to set the default route of eth0:1 to be the 4.2.2.3 address.
> > > >
> > > > My other thoughts is that I'm going to have to have a different nic
> > > > (whether
> > > > physical or virtual) onto which to bind the addresses.
> > > >
> > > >
> > > > ________________
> > > > \ | |
> > > > I \4.2.2.1 4.2.2.3|5.2.2.1 |10.x.x.x
> > > > S |--------------------|-------- |---------
> > > > P | eth0|eth0:1 |eth1
> > > > # / |(eth0:x) |
> > > > 2 / | ?Default route |
> > > > | for eth0:x ? |
> > > > | |
> > > > hdlc0| |
> > > > To ISP#1<-----------|________________|
> > >
> > >
> > > eth0 [probably] does not need a default route
> > >
> > >
> > >
> > > >
> > > > Now comes iptables, DNAT and SNAT. I am going to guess that all of my
> > > > firewall
> > > > rules will be based on the eth0:x interfaces (and their associated IP
> > > > address).
> > > > The thing is, when adding dead gateway detection
> > > > ( http://www.ssi.bg/~ja/ ) into the mix, how do I handle ensuring that the
> > > > outgoing packets have the proper SNAT address? The eth0 interface will
> > > > need to
> > > > be the one to participate in DGD since it is THAT route that would be
> > > > the route
> > > > that is critical if it were down, yet netfilter will be source NATing
> > > > the packets
> > > > from the 'internal' (eth0:x 5.2.2.x) segment. When the kernel makes a
> > > > routing
> > > > decision of which SNAT interface to use (hdlc0 or eth0:X) the answer can
> > > > never
> > > > be considered correct because eth0:X will ALWAYS be up...because it's local!
> > > >
> > > > Maybe I'm stuck in some circular logic...or don't have a proper grasp on
> > > > this.
> > > > I've come to regard ntlug as one of the BEST place for competent support
> > > > so I
> > > > gravitate here to resolve my issues. However, I realize that there may be a
> > > > better place for me to discuss this issue? If anyone can refer me to such a
> > > > place, I'd be grateful.
> > > >
> > > > NOTES:
> > > >
> > > > * 4.2.2.1, 4.2.2.2, and 4.2.2.3 are the old GTE (now verizon) dns server
> > > > addresses and are NOT my addresses. 5.2.2.x is..well something I pulled
> > > > out of
> > > > thin air.
> > > >
> > > > * Other links of interest..
> > > > **
> > > > http://www.experts-exchange.com/Networking/Linux_Networking/Q_21828553.html
> > > > ** http://lartc.org/howto/lartc.rpdb.multiple-links.html
> > > > **
> > > > http://www.experts-exchange.com/Networking/Linux_Networking/Q_21828553.html
> > > >
> > > > {It would be nice to have an email client that understood pmwiki
> > > > formatting! :)}
> > > >
> > > > By the way, Patrick, thanks again for pmwiki - I live and die by the
> > > > documentation
> > > > I can keep in there.
> > > >
> > > >
No that's all wrong. I should have stayed out of this, I'm only a
novice at iptables rule writer - I use trial & error method, (mostly
error) but, I guess I'm just way off this time, sorry. You'd have to
set routes internally and I'm just lost.
(I keep getting confused with trying to route to another machine is
one problem, but anyway, sorry, disregard...)
--
<><
More information about the Discuss
mailing list